Why sharing third-party cybersecurity evaluations with other companies might not work for your business
It’s well-understood that third parties allow businesses to be more efficient. By relying on services made to meet the needs of many organizations – bigger and smaller – businesses have the flexibility to scale while using services that are more robust and feature-complete than most home-grown solutions could be. It’s no wonder that some larger companies have thousands of third parties.
Less understood, however, is that the risks (including cyber risks) related to the work done by the third party still have to be managed. More and more companies are implementing processes for measuring third-party cyber risk, and questionnaires have emerged as one of the most common approaches for assessing a third party’s cybersecurity posture.
Questionnaires bring significant friction to the process of retaining a third party. They can have dozens or even hundreds of questions and each answer must be evaluated to make sure that the cybersecurity controls that the third party has – or claims to have – are appropriate.
Since third parties can make businesses more efficient by creating a shared, specialized resource, it’s natural to apply the same reasoning to this assessment process. What if the assessment could be shared so a vendor doesn’t have to answer a different set of questions each time? What if, by standardizing questions and answers, you could tell that a service provider has the proper cybersecurity controls before even sending them a questionnaire of your own?
As reasonable as this sounds, a critical piece is missing from this line of thought: two businesses can hire the same third party, but the relationship that this vendor has with each of them is unique. As such, the risks are not the same, and the relevance of each security control is certainly different.
Worse of all, though, is that reducing the friction of questionnaires to make them more efficient doesn’t address the main issue at hand: they are not effective. In some ways, it even makes them less effective! Here’s why:
Too many questions lead to outdated answers
IT services can be provided in a way that meets the needs of a wide range of businesses. If all of them are to accept a single questionnaire from their vendors, this document tends to become very large — real examples were more than a thousand questions long. It’s the only way for so many organizations with little in common to be satisfied with the answers.
Since it’s a lot of work to answer so many questions, repeating this process often is impractical. As such, the questionnaire can only be updated only once or twice a year at best, inevitably being out of date most of the time.
In other words, as you attempt to optimize questionnaires, there’s a risk they become less useful and more difficult to work with.
Sometimes, you need to know more
Because companies often consider standard questionnaires as a way to improve a preexisting assessment process, gaps will likely be found. If you find yourself in this situation, you may still need some additional information regarding a few security controls — no matter how many questions someone else has asked on your behalf.
Questionnaires usually go through a lengthy and complex process before being adopted, gathering input from several departments within the organizations, such as legal, procurement, IT, and risk management or governance. Throwing everything away in favor of a standard made by somebody else isn’t easy, and every question must be carefully examined to evaluate whether they’ll cover the same controls and processes.
If any blind spots are found, they can’t be simply ignored — every question was there for a reason, after all. In the end, vendors will be required to answer an additional, tailored questionnaire on top of the document they share with others.
If a standard questionnaire is seldom enough on its own, it’s fair to say it’s more “preliminary” than “standard.”
One vendor can provide many services
Large cloud providers probably won’t segregate their infrastructure or provide custom security controls for you as they do for the government and a few large companies – unless you are as big or relevant as these other entities. Smaller vendors, on the other hand, are usually open to accommodate their customers in a variety of ways.
When vendors provide custom security controls and infrastructure, an assessment made by somebody else is not representative of what this vendor is doing for you. A premade questionnaire won’t be very useful (or even fair to the vendor) in these situations.
This issue is compounded by the fact that your relationship with each vendor is also different. If you’re storing or transmitting credit card data, the kind of security that you need might not be the same as when you’re storing encrypted email addresses to back up a marketing list. Ideally, questionnaires should always reflect what the vendor is doing for each business.
A case of premature optimization
Addressing third-party risk has proven to be very challenging. A survey from the World Economic Forum’s Global Cybersecurity Outlook noted that “41% of businesses that suffered a material impact from a third party said that it originated from a third party.”
In April, a Gartner survey revealed that security and risk management leaders are spending more time on activities related to TPCRM, but incidents increased by 45% since 2021. With such numbers, it’s fair to question the effectiveness of what is being done.
Given that questionnaires are the most common approach to TPCRM, we should ask whether it’s worthwhile to optimize a process that is probably not even leading us to the outcomes we would like. This is akin to premature optimization in computer science — before trying to make something work faster and better, you have to make sure it’s doing what it needs to do.
What if you could use a system that automates data collection and report generation to keep an up-to-date assessment of your third parties’ security posture? And what if, on top of that, you could leverage real-time data retrieved from within their infrastructure using standard APIs? This would eliminate many of the limitations of traditional questionnaires.
So, when something isn’t working as we would like, we should look for an alternative.
